A common question from DNS filtering users is: "Which device on my network visited this site?" The answer reveals a fundamental aspect of how DNS works — and why device-level visibility requires additional tools.
Get Started
Every device on your home or office network — laptops, smartphones, tablets, smart TVs, gaming consoles, IoT devices — shares a single public IP address. This is the IP address assigned to your router by your Internet Service Provider (ISP), and it is the only address visible to external services, including DNS filtering providers.
Inside your network, each device has its own private IP address (e.g., 192.168.1.100, 192.168.1.101), assigned by your router via DHCP. However, when traffic leaves your network and reaches the internet, your router performs Network Address Translation (NAT). NAT replaces the private source IP with your single public IP address before forwarding the request to the internet.
When DNS queries from your network reach a filtering provider like CleanBrowsing, they all appear to come from the same source — your router's public IP address. Whether the query originated from your child's tablet, your work laptop, or a smart TV, the DNS provider sees only one IP address. There is no information in the DNS query itself that identifies which internal device made the request.
This is not a limitation specific to CleanBrowsing or any particular DNS service — it is how the internet's addressing system works. NAT was designed to conserve IPv4 addresses by allowing many devices to share a single public IP, but a consequence is that external services lose visibility into individual devices behind the router.
DNS is fundamentally a stateless protocol. Each DNS query is an independent transaction: your device asks "What is the IP address for example.com?" and the resolver responds with the answer. There is no ongoing connection, session, or context maintained between queries.
This is fundamentally different from how firewalls and web proxies work. A stateful firewall tracks connections from start to finish — it knows which device initiated a connection, what protocol is being used, and how long the connection has been active. A web proxy can associate HTTP requests with user sessions, cookies, and authentication tokens.
DNS has none of this context. It does not track which device initiated a request, it does not associate queries with specific users, and it does not maintain any history of the conversation between queries. Each DNS query arrives, gets resolved, and the transaction is complete. The resolver has no way to correlate multiple queries to the same device or user, because DNS was designed as a simple, fast lookup service — not a traffic monitoring system.
This stateless design is actually what makes DNS so fast and scalable. DNS resolvers like CleanBrowsing can process billions of queries per month precisely because they do not need to maintain state for each one. But it also means that DNS is not the right tool for tracking individual device activity — that requires tools that operate at a different layer of the network stack.
The most common way to deploy DNS filtering is at the router level. You change the DNS server settings on your router from your ISP's default DNS to a filtering DNS service like CleanBrowsing. Once configured, every device that connects to your network automatically uses the filtering DNS — no software installation or per-device configuration required.
This is one of the greatest strengths of router-level DNS filtering: simplicity and universal coverage. A single configuration change protects laptops, phones, tablets, gaming consoles, smart TVs, and IoT devices. There are no agents to install, no compatibility issues to worry about, and no way for individual devices to opt out (as long as the router is properly configured to enforce DNS settings).
However, because the DNS filtering service sees only one source — the router's public IP — it applies the same filtering rules to every device behind that router. If your filtering policy blocks adult content, that policy applies equally to your child's tablet, your personal laptop, and your smart TV. There is no way for the DNS service to distinguish between these devices based on the DNS queries alone.
This is by design. Router-level DNS filtering is intended to provide uniform, network-wide protection. It ensures that every device on the network meets the same baseline filtering standard, which is exactly what most families, schools, and small businesses need. The goal is not to monitor individual devices but to ensure that no device on the network can access blocked content.
If you need device-specific filtering and monitoring — different rules for different devices, or the ability to see which device accessed which domain — there are several approaches:
For most home users, CleanBrowsing's roaming clients and user profiles provide the right balance of device-level control and simplicity. For organizations with more complex requirements, combining DNS filtering with a network firewall provides comprehensive visibility and control at every layer.